Compliance with California Privacy Laws: Federal Law Also Provides Guidance to Businesses Nationwide

Over the past several years, personal information has been lost or stolen as a result of a series of high profile security breaches. In January 2006, the U.S. Federal Trade Commission announced that ChoicePoint will be required to pay $15 million in fines and penalties for a high profile security breach that occurred in 2005. The ChoicePoint breach and similar events have spurred an explosion of state and federal privacy legislation. In particular, the State of California has taken the lead by enacting the strictest disclosure and security procedure requirements in the country. The implications of California’s new laws can be felt throughout the U.S. since they affect any business that collects personal information about California residents. This article will focus on a new California law, Assembly Bill 1950, which requires businesses to maintain “reasonable security standards” for personal information without further defining such standards. In particular, the article examines how businesses can comply with A.B. 1950 by performing a risk management analysis and borrowing security standards from the federal Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Acts.